Device Time Accumulation

ABSTRACT

A method, system and computer-usable medium are disclosed for performing a device time accumulation operation. With a device time accumulation operation systems within a security intelligence platform which accumulate events within the IT environment associate an event ingest time with the event. When the events are provided for analysis, the device time accumulation operation analyzes the ingest times as well as the emit time to take into account historical time data associated with the accumulated events.

BACKGROUND OF THE INVENTION

Field of the Invention

The present invention relates in general to the field of computers andsimilar technologies, and in particular to software utilized in thisfield. Still more particularly, it relates to a method, system andcomputer-usable medium for performing a device time accumulationoperation.

Description of the Related Art

Organizations today are exposed to a greater volume and variety ofattacks than in the past. Advanced attackers are clever and patient,leaving just a whisper of their presence. Accordingly, it is desirableto provide security functionality which helps to detect and defendagainst threats by applying sophisticated analytics to more types ofdata. It is also desirable to provide such security functionality whichidentifies high-priority incidents that might otherwise get lost in thenoise of the overall operation of a large scale information processingenvironment.

It is known to provide security functionality to IT environments viasecurity intelligence platforms which integrate security information andevent management (SIEM), log management, anomaly detection,vulnerability management, risk management and incident forensics into aunified solution.

In many known IT environments such as large scale security intelligenceplatforms, events can be accumulated within a monitored system but notprovided for analysis until some later time. When this occurs, the timeinformation used for analyzing the events, including time series graphs,may be skewed.

SUMMARY OF THE INVENTION

A method, system and computer-usable medium are disclosed for performinga device time accumulation operation. With a device time accumulationoperation systems within a security intelligence platform whichaccumulate events within the IT environment associate an event ingesttime with the event. When the events are provided for analysis, thedevice time accumulation operation analyzes the ingest times as well asthe emit time to take into account historical time data associated withthe accumulated events.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention may be better understood, and its numerousobjects, features and advantages made apparent to those skilled in theart by referencing the accompanying drawings. The use of the samereference number throughout the several figures designates a like orsimilar element.

FIG. 1 depicts an exemplary client computer in which the presentinvention may be implemented.

FIG. 2 is a simplified block diagram of a security intelligenceplatform.

FIG. 3 is a generalized flowchart of the operation of a device timeaccumulation operation.

DETAILED DESCRIPTION

A method, system and computer-usable medium are disclosed for performinga device time accumulation operation. With a device time accumulationoperation systems within a security intelligence platform whichaccumulate events within the IT environment associate an event ingesttime with the event. When the events are provided for analysis, thedevice time accumulation operation analyzes the ingest times as well asthe emit time to take into account historical time data associated withthe accumulated events.

As will be appreciated by one skilled in the art, the present inventionmay be embodied as a method, system, or computer program product.Accordingly, embodiments of the invention may be implemented entirely inhardware, entirely in software (including firmware, resident software,micro-code, etc.) or in an embodiment combining software and hardware.These various embodiments may all generally be referred to herein as a“circuit,” “module,” or “system.” Furthermore, the present invention maytake the form of a computer program product on a computer-usable storagemedium having computer-usable program code embodied in the medium.

Any suitable computer usable or computer readable medium may beutilized. The computer-usable or computer-readable medium may be, forexample, but not limited to, an electronic, magnetic, optical,electromagnetic, infrared, or semiconductor system, apparatus, ordevice. More specific examples (a non-exhaustive list) of thecomputer-readable medium would include the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a portable compact disc read-only memory (CD-ROM), anoptical storage device, or a magnetic storage device. In the context ofthis document, a computer-usable or computer-readable medium may be anymedium that can contain, store, communicate, or transport the programfor use by or in connection with the instruction execution system,apparatus, or device.

Computer program code for carrying out operations of the presentinvention may be written in an object oriented programming language suchas Java, Smalltalk, C++ or the like. However, the computer program codefor carrying out operations of the present invention may also be writtenin conventional procedural programming languages, such as the “C”programming language or similar programming languages. The program codemay execute entirely on the user's computer, partly on the user'scomputer, as a stand-alone software package, partly on the user'scomputer and partly on a remote computer or entirely on the remotecomputer or server. In the latter scenario, the remote computer may beconnected to the user's computer through a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Embodiments of the invention are described below with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in acomputer-readable memory that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instruction meanswhich implement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide steps for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

FIG. 1 is a block diagram of an exemplary client computer 102 in whichthe present invention may be utilized. Client computer 102 includes aprocessor unit 104 that is coupled to a system bus 106. A video adapter108, which controls a display 110, is also coupled to system bus 106.System bus 106 is coupled via a bus bridge 112 to an Input/Output (I/O)bus 114. An I/O interface 116 is coupled to I/O bus 114. The I/Ointerface 116 affords communication with various I/O devices, includinga keyboard 118, a mouse 120, a Compact Disk-Read Only Memory (CD-ROM)drive 122, a floppy disk drive 124, and a flash drive memory 126. Theformat of the ports connected to I/O interface 116 may be any known tothose skilled in the art of computer architecture, including but notlimited to Universal Serial Bus (USB) ports.

Client computer 102 is able to communicate with a service providerserver 152 via a network 128 using a network interface 130, which iscoupled to system bus 106. Network 128 may be an external network suchas the Internet, or an internal network such as an Ethernet Network or aVirtual Private Network (VPN). Using network 128, client computer 102 isable to use the present invention to access service provider server 152.

A hard drive interface 132 is also coupled to system bus 106. Hard driveinterface 132 interfaces with a hard drive 134. In a preferredembodiment, hard drive 134 populates a system memory 136, which is alsocoupled to system bus 106. Data that populates system memory 136includes the client computer's 102 operating system (OS) 138 andsoftware programs 144.

OS 138 includes a shell 140 for providing transparent user access toresources such as software programs 144. Generally, shell 140 is aprogram that provides an interpreter and an interface between the userand the operating system. More specifically, shell 140 executes commandsthat are entered into a command line user interface or from a file.Thus, shell 140 (as it is called in UNIX®), also called a commandprocessor in Windows®, is generally the highest level of the operatingsystem software hierarchy and serves as a command interpreter. The shellprovides a system prompt, interprets commands entered by keyboard,mouse, or other user input media, and sends the interpreted command(s)to the appropriate lower levels of the operating system (e.g., a kernel142) for processing. While shell 140 generally is a text-based,line-oriented user interface, the present invention can also supportother user interface modes, such as graphical, voice, gestural, etc.

As depicted, OS 138 also includes kernel 142, which includes lowerlevels of functionality for OS 138, including essential servicesrequired by other parts of OS 138 and software programs 144, includingmemory management, process and task management, disk management, andmouse and keyboard management. Software programs 144 may include abrowser 146 and email client 148. Browser 146 includes program modulesand instructions enabling a World Wide Web (WWW) client (i.e., clientcomputer 102) to send and receive network messages to the Internet usingHyperText Transfer Protocol (HTTP) messaging, thus enablingcommunication with service provider server 152. In various embodiments,software programs 144 may also include a device time accumulation system150. In these and other embodiments, the device time accumulation system150 includes code for implementing the processes described hereinbelow.In one embodiment, client computer 102 is able to download the devicetime accumulation system 150 from a service provider server 152.

The hardware elements depicted in client computer 102 are not intendedto be exhaustive, but rather are representative to highlight componentsused by the present invention. For instance, client computer 102 mayinclude alternate memory storage devices such as magnetic cassettes,Digital Versatile Disks (DVDs), Bernoulli cartridges, and the like.These and other variations are intended to be within the spirit, scopeand intent of the present invention.

FIG. 2 shows a simplified block diagram of a security intelligenceenvironment 200 which includes a security intelligence platform 210 inaccordance with various aspects of the invention. The securityintelligence platform 210 integrates security information and eventmanagement (STEM), log management, anomaly detection, vulnerabilitymanagement, risk management and incident forensics into a unifiedsolution. By using intelligence, integration and automation to provide360-degree security insight, the security intelligence platform 210delivers threat detection, ease of use and lower total cost ofownership. The security intelligence platform 210 uses intelligence,integration and automation to deliver security and compliancefunctionality.

The security intelligence platform 210 receives information from one ormore of a plurality of data sources 220 and performs one or more ofcorrelation operations, activity baselining and anomaly detectionoperations, offense identification operations and device timeaccumulation operations to provide an identification of a true offense222 as well as identification of suspected intendents 224. In certainembodiments, the security intelligence platform 210 includes one or moreof an integrated family of modules that can help detect threats thatotherwise would be missed. For example, in certain embodiments, thefamily of modules can include a correlation module 230 for performingthe correlation operations, an activity baselining and anomaly detectionmodule 232 for performing the activity baselining and anomaly detectionoperations, an offence identification module 234 for performing theoffence identification operation and a device time accumulation module236 for performing a device time accumulation operation. In variousembodiments, the correlation operation includes one or more oflogs/events analysis, flow analysis, IP reputation analysis andgeographic location analysis. In various embodiments, the activitybaselining and anomaly detection operation includes one or more of useractivity analysis, database activity analysis, application activityanalysis and network activity analysis. In various embodiments, theoffense identification operation includes one or more of credibilityanalysis, severity analysis and relevance analysis. The plurality ofdata sources 220 can include one or more of security devices 240,servers and mainframes 242, network and virtual activity data sources244, data activity data sources 246, application activity data sources248, configuration information data sources 250, vulnerabilities andthreats information data sources 252 as well as users and identitiesdata sources 254. The data sources 220 can also include an eventaccumulation module 256 into which events generated by any of the datasources are stored while awaiting forwarding to the securityintelligence platform 210.

The security intelligence platform 210 helps detect and defend againstthreats by applying sophisticated analytics to the data received fromthe plurality of data sources. In doing so, the security intelligenceplatform 210 helps identify high-priority incidents that might otherwiseget lost in the noise of the operation of a large scale informationprocessing environment. The security intelligence platform 200 uses someor all of the integrated family of modules to solve a number of businessissues including: consolidating data silos into one integrated solution;identifying insider theft and fraud; managing vulnerabilities,configurations, compliance and risks; conducting forensic investigationsof incidents and offenses; and, addressing regulatory mandates.

In various embodiments, the security intelligence platform 210 providesa plurality of functions. For example, in certain embodiments, thesecurity intelligence platforms consolidates data silos from a pluralityof data sources. More specifically, while a wealth of information existswithin organizations operating large scale information processingsystems such as log, network flow and business process data, thisinformation is often held in discrete data silos. The securityintelligence platform 210 converges network, security and operationsviews into a unified and flexible solution. The security intelligenceplatform breaks down the walls between silos by correlating logs withnetwork flows and a multitude of other data, presenting virtually allrelevant information on a single screen. Such a correlation helps enablesuperior threat detection and a much richer view of enterprise activity.

Additionally, in various embodiments, the security intelligence platformperforms an insider fraud detection operation. Some of the gravestthreats to an organization can come from the inside the organization,yet organizations often lack the intelligence needed to detect maliciousinsiders or outside parties that have compromised user accounts. Bycombining user and application monitoring with application-layer networkvisibility, organizations can better detect meaningful deviations fromnormal activity, helping to stop an attack before it completes.

Additionally, in various embodiments, the security intelligence platform210 predicts and remediates risk and vulnerabilities. Security, networkand infrastructure teams strive to manage risk by identifyingvulnerabilities and prioritizing remediation before a breach occurs. Thesecurity intelligence platform 210 integrates risk, configuration andvulnerability management with STEM capabilities, including correlationand network flow analytics, to help provide better insight into criticalvulnerabilities. As a result, organizations can remediate risks moreeffectively and efficiently.

Additionally, in various embodiments, the security intelligence platform210 can conduct forensics analysis. In certain embodiments, the securityintelligence platform 210 includes integrated incident forensics helpsIT security teams reduce the time spent investigating securityincidents, and eliminates the need for specialized training. Thesecurity intelligence platform 210 expands security data searches toinclude full packet captures and digitally stored text, voice, and imagedocuments. The security intelligence platform helps present clarityaround what happened when, who was involved, and what data was accessedor transferred in a security incident. As a result, the securityintelligence platform 210 helps remediate a network breach and can helpprevent it from succeeding again.

Additionally, in various embodiments, the security intelligence platform210 addresses regulatory compliance mandates. Many organizations wrestlewith passing compliance audits while having to perform data collection,monitoring and reporting with increasingly limited resources. Toautomate and simplify compliance tasks, the security intelligenceplatform 210 provides collection, correlation and reporting oncompliance-related activity, backed by numerous out-of-the-box reporttemplates.

The security intelligence platform 210 leverages easier-to-use securityanalytics. More specifically, the security intelligence platform 210provides a unified architecture for storing, correlating, querying andreporting on log, flow, vulnerability, and malevolent user and assetdata. The security intelligence platform 210 combines sophisticatedanalytics with out-of-the-box rules, reports and dashboards. While theplatform is powerful and scalable for large corporations and majorgovernment agencies, the platform is also intuitive and flexible enoughfor small and midsize organizations. Users benefit from potentiallyfaster time to value, lower cost of ownership, greater agility, andenhanced protection against security and compliance risks.

The security intelligence platform 210 provides advanced intelligence.More specifically, by analyzing more types of data and using moreanalytics techniques, the platform can often detect threats that mightbe missed by other solutions and help provide advanced networkvisibility.

The security intelligence platform 210 also provides advancedintegration. Because the security intelligence platform includes acommon application platform, database and user interface, the platformdelivers massive log management scale without compromising the real-timeintelligence of SIEM and network behavior analytics. It provides acommon solution for all searching, correlation, anomaly detection andreporting functions. A single, intuitive user interface providesseamless access to all log management, flow analysis, incidentmanagement, configuration management, risk and vulnerability management,incident forensics, dashboard and reporting functions.

The security intelligence platform 210 also provides advancedautomation. More specifically, the security intelligence platform 201 issimple to deploy and manage, offering extensive out-of-the-boxintegration modules and security intelligence content. By automatingmany asset discovery, data normalization and tuning functions, whileproviding out-of-the-box rules and reports, the security intelligenceplatform 210 is designed to reduce complexity of the operation of theplatform.

Referring to FIG. 3 a flow chart of a device time accumulation operation300 is shown. More specifically, the device time accumulation operationbegins at step 310 by monitoring the data sources 220 to determinewhether an event has been generated by a system within the securityintelligence environment 200. Any of the data sources 220 may generatean event. In various embodiments, the data sources 220 may include oneor more of a firewall, a network switch, a user end point (e.g., someform of information processing system such as a portable informationprocessing system or a desktop information processing system), awireless access point and a physical security device (e.g., a badgereader). Next, at step 320 when an event is generated, the event isstored within the event accumulation module 256. When the event isstored within the event accumulation module 256, an event emit time isassociated with the event and is stored within the event accumulationmodule 256 with the event at step 325. For the purposes of thisdisclosure, an event emit time corresponds to the time at which anassociated event is generated by a data source.

Next, at step 330, the device time accumulation operation 300 analyzesan accumulation status to determine whether to forward any accumulatedevents on to the security intelligence platform 210. If the device timeaccumulation operation 300 determines based upon the accumulation statusto not forward the accumulated events, then the operation returns tostep 310 to await a next event. If the device time accumulationoperation 300 determines based upon the accumulation status to forwardthe accumulated events, then the operation 300 forwards the accumulatedevents to the security intelligence platform 210 at step 340. When theevents are forwarded to the security intelligence platform 210, an eventingest time is associated with each forwarded event at step 345. For thepurposes of this disclosure, an ingest emit time corresponds to the timeat which an associated event is forwarded to the security intelligenceplatform 210.

The device time accumulation module 236 then makes use of both the eventingest time as well as the event emit time to analyze the events to takeinto account historical data. More specifically, the device timeaccumulation module 236 can use time series graphs for analyzing theevents taking into account the event ingest time associated with theevent as well as the event emit time. In various embodiments, the eventingest times and the event emit times are used to create accumulationsof the data. The accumulations that are created are used for analyticsor to populate time-series graphs for graphical representation of thedata. In various embodiments, the accumulations may be ordered by devicetime of by security analysis platform time. This information becomesespecially important when the analysis takes into account accumulationof multiple events across a given amount of time. In this situation, theemit times can skew the time series graph analysis whereas includingingest times in the time series graph does not.

Although the present invention has been described in detail, it shouldbe understood that various changes, substitutions and alterations can bemade hereto without departing from the spirit and scope of the inventionas defined by the appended claims.

1. A computer-implemented method for processing device time information,comprising: monitoring a security intelligence platform for a pluralityof events, the plurality of events being generated by at least one datasource of the security intelligence environment; storing the pluralityof events for later processing, the storing comprising associating anevent emit time with each of the plurality of events, the event emittime representing a time when the event was generated; forwarding theplurality of events to a security platform, the forwarding comprising anevent ingest time with each of the plurality of events, the event ingesttime representing a time when the event was forwarded to the securityplatform; processing the plurality of events, the processing consideringthe event ingest time and the event emit time of each of the pluralityof events.
 2. The method of claim 1, wherein: the at least one datasource comprises at least one of a security device and an informationprocessing system.
 3. The method of claim 1, wherein: the plurality ofevents comprises at least one of information relating to network andvirtual activity, information relating to data activity, informationrelating to application activity, configuration information,vulnerability and threat information and information relating to usersand identities.
 4. The method of claim 1, wherein: the plurality ofevents are stored within an event accumulation module.
 5. The method ofclaim 1, wherein: the processing further comprises using a set ofcriteria to group events together based upon similar properties andrecording events over time.
 6. The method of claim 1, wherein: theprocessing further comprises creating accumulations of the plurality ofevents, the accumulations being used for analytics or to populatetime-series graphs for graphical representation of the data. 7-20.(canceled)